Set up publishing of SNAPSHOT builds to GitHub Packages

[carlspring]

Task Description

Fixes #74 :

• Added workflow for publishing SNAPSHOT builds.
• Added workflow for removing SNAPSHOT builds once a pull request has been merged.

Summary by CodeRabbit

• New Features

  • Automatic snapshot publishing for pull requests and master with distinct PR vs. master snapshot naming.

• Documentation

  • Added “Snapshot Builds (Pre-release)” with Maven and Gradle consumption and authentication instructions.

• Chores

  • Added automated cleanup of PR snapshot artifacts when merged.
  • CI updates: workflow triggers adjusted and action versions updated; publishing to GitHub Packages enabled; signing limited to release builds.

[coderabbitai]

Walkthrough

Add CI jobs and workflows to publish PR/master SNAPSHOT artifacts to GitHub Packages and to delete PR-specific snapshots after merge; make signing conditional for release builds; bump several GitHub Actions versions; and document snapshot consumption and authentication in README.

Changes

Cohort / File(s)	Summary
Publish Snapshot CI .github/workflows/build.yml	Switched PR trigger to pull_request_target (types: opened, synchronize, reopened); pinned checkout to PR head ref; upgraded actions (actions/checkout@v6, actions/setup-java@v5); added publish-snapshot job that computes PR vs master snapshot versions and publishes via Gradle to GitHub Packages.
Cleanup Snapshot CI .github/workflows/cleanup-snapshot.yml	New workflow Clean up PR snapshot triggered on merged PRs; computes <BASE>-PR-<pr>-SNAPSHOT, lists GitHub Packages Maven versions via gh (paginated), filters exact matches, and deletes matching package version IDs with authenticated DELETEs.
Workflow version bumps .github/workflows/codeql.yml, .github/workflows/deploy-tagged.yml	Updated actions/checkout→v6 (CodeQL); updated actions/checkout→v6 and actions/setup-java→v5 (deploy-tagged). No other functional changes.
Build config build.gradle.kts	Make signing required only for release builds (setRequired({ isReleaseVersion }) and Sign tasks onlyIf { isReleaseVersion }); added GitHubPackages Maven repo at https://maven.pkg.github.com/uploadcare/uploadcare-java using GITHUB_ACTOR/GITHUB_TOKEN credentials.
Docs README.md	Added "Snapshot Builds (Pre-release)" section documenting snapshot naming for PRs and master, instructions to consume snapshots via Maven/Gradle, and GitHub Packages authentication / PAT guidance.

Sequence Diagram(s)

sequenceDiagram
  participant PR as Pull Request
  participant Actions as GitHub Actions (publish-snapshot)
  participant Gradle as Gradle Wrapper
  participant GHPackages as GitHub Packages
  Note over PR,Actions: Trigger on PR opened/synchronized/reopened or push to master
  PR->>Actions: trigger publish-snapshot job
  Actions->>Actions: read base version, compute snapshot_version
  Actions->>Gradle: run ./gradlew publishReleasePublicationToGitHubPackagesRepository -Pversion=snapshot_version
  Gradle->>GHPackages: publish Maven artifacts (auth: GITHUB_TOKEN)
  GHPackages-->>Actions: publish response/status

Loading

sequenceDiagram
  participant GitHub as GitHub (PR merged event)
  participant Cleanup as GitHub Actions (cleanup-snapshot)
  participant GHAPI as gh CLI / GitHub Packages API
  participant Deleter as HTTP DELETE to GH Packages
  GitHub->>Cleanup: trigger on pull_request.closed (merged)
  Cleanup->>Cleanup: compute SNAPSHOT_VERSION = BASE-PR-<n>-SNAPSHOT
  Cleanup->>GHAPI: list package versions (paginated)
  GHAPI-->>Cleanup: return version list
  Cleanup->>Deleter: DELETE matching version IDs (authenticated)
  Deleter-->>Cleanup: deletion responses/logs
  Cleanup-->>GitHub: log completion

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly and concisely summarizes the main change: setting up SNAPSHOT build publishing to GitHub Packages, which matches the primary focus of all changes.
Linked Issues check	✅ Passed	All coding objectives from issue #74 are met: SNAPSHOT publishing from PRs [build.yml, publish-snapshot job], after merge to master [build.yml], cleanup on merge [cleanup-snapshot.yml], and documentation updates [README.md].
Out of Scope Changes check	✅ Passed	All changes are in scope: workflow modifications for snapshot publishing/cleanup, build.gradle updates for GitHub Packages publishing, README documentation, and action version updates supporting these objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch issue/74/set-up-snapshot-publishing-to-github-packages

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/build.yml:
- Around line 54-57: The workflow currently allows the publish job to run for
all pull_request events despite GitHub restricting GITHUB_TOKEN to read-only for
forked PRs; update the job's run condition (the if: expression that currently
checks "github.event_name == 'pull_request' || (github.event_name == 'push' &&
github.ref == 'refs/heads/master')") to gate publishing only for same-repository
PRs by adding a check like "&& github.event.pull_request.head.repo.full_name ==
github.repository" for the pull_request branch, or alternatively restrict the
publish job to only run on push to master; ensure this prevents attempting
package publish when permissions (packages: write / GITHUB_TOKEN) are read-only.

In @.github/workflows/cleanup-snapshot.yml:
- Around line 21-27: The current get-version step recomputes BASE_VERSION from
gradle.properties which can drift; instead derive and match snapshots by the
immutable PR suffix (e.g. -PR-<n>-SNAPSHOT). Update the get-version step to stop
trimming gradle.properties and instead create a SNAPSHOT_SUFFIX variable (or use
the PR number) like SNAPSHOT_SUFFIX="-PR-${{ github.event.number }}-SNAPSHOT"
(or extract that suffix from the published-version output if available), then
use that suffix when filtering artifacts for cleanup (replace uses of
BASE_VERSION with pattern "*${SNAPSHOT_SUFFIX}" when removing snapshots). Ensure
variables referenced include get-version, BASE_VERSION (remove or leave unused),
and the new SNAPSHOT_SUFFIX so the cleanup matches the exact PR snapshot instead
of recomputing the base version.
- Around line 18-19: Update the GitHub Actions usage of the checkout action by
replacing the pinned version string "actions/checkout@v3" with
"actions/checkout@v4" in the workflow; locate the step with the name "Checkout"
that uses the actions/checkout action and change the version tag to `@v4` to
ensure the runner uses the Node 20-compatible, actively maintained release.

In `@build.gradle.kts`:
- Around line 46-48: The repository name set in the Maven repository block
(maven { name = "uploadcare-snapshots-github" }) doesn't match the
Gradle-generated publish task used in CI; rename that repository to
"GitHubPackages" so the generated task becomes
publishReleasePublicationToGitHubPackagesRepository (or alternatively update
your CI to call the task that matches the current name), i.e., change the name
value in the maven { ... } block to "GitHubPackages" to align with the
workflow's publishReleasePublicationToGitHubPackagesRepository step.

In `@README.md`:
- Around line 57-101: The README's Maven and Gradle snapshot sections omit
authentication details required by GitHub Packages; add instructions showing how
to configure Maven server credentials (matching the repository id used in the
pom example, e.g., "uploadcare-snapshots") in settings.xml with a username and a
personal access token (PAT) that has read:packages, and add a Gradle credentials
block for the maven repository (username and password = PAT) or show using
environment variables for the PAT so the repository declaration in build.gradle
/ build.gradle.kts can authenticate; reference the repository id/name used in
the provided pom.xml and build.gradle snippets to ensure credentials match.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 12c9ddc7-6d07-4759-b7b1-96a1ff4f4670

📥 Commits

Reviewing files that changed from the base of the PR and between a7bc483 and f84f990.

📒 Files selected for processing (4)

• .github/workflows/build.yml
• .github/workflows/cleanup-snapshot.yml
• README.md
• build.gradle.kts

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

.github/workflows/build.yml (1)

88-96: Consider updating gradle/gradle-build-action to @v3.

While not flagged by static analysis, gradle-build-action@v2 is also outdated. v3 has been available since late 2023 with improved caching and Node 20 support.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build.yml around lines 88 - 96, Update the "Setup Gradle"
GitHub Actions step to use the newer action version by changing the uses value
from gradle/gradle-build-action@v2 to gradle/gradle-build-action@v3; ensure the
step named "Setup Gradle" and its with keys (gradle-version,
gradle-home-cache-cleanup, gradle-home-cache-includes) remain intact and run a
workflow test to confirm caching and Node 20 compatibility under the
gradle/gradle-build-action@v3 update.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/build.yml:
- Around line 83-86: Update the GitHub Action step that references
actions/setup-java@v3 to actions/setup-java@v4 so the workflow runs with Node
20-compatible tooling; locate the uses: entry "actions/setup-java@v3" in the
workflow and change the version tag to "@v4" while keeping the existing with:
java-version: 8 and distribution: 'temurin' settings unchanged.
- Line 61: Update the GitHub Actions checkout step to use the v4 major release:
replace the uses entry referencing actions/checkout@v3 with actions/checkout@v4
so the workflow runs on a Node 20-compatible runner; update any pinned inputs if
present and run/validate the workflow to ensure no breaking changes from v3→v4.

In @.github/workflows/cleanup-snapshot.yml:
- Line 41: The workflow .github/workflows/cleanup-snapshot.yml is targeting the
GitHub Packages API path "/orgs/${{ github.repository_owner
}}/packages/maven/com.uploadcare.uploadcare/versions" but Uploadcare publishes
the Java SDK to Maven Central, so confirm whether PR snapshot artifacts are
actually pushed to GitHub Packages; if not, either remove/disable this cleanup
job or change the workflow to target the correct registry (e.g., stop using the
GitHub Packages path or implement cleanup for Maven Central/your actual
publishing target), and update any credentials/registry names accordingly so the
cleanup job corresponds to where artifacts are published.

---

Nitpick comments:
In @.github/workflows/build.yml:
- Around line 88-96: Update the "Setup Gradle" GitHub Actions step to use the
newer action version by changing the uses value from
gradle/gradle-build-action@v2 to gradle/gradle-build-action@v3; ensure the step
named "Setup Gradle" and its with keys (gradle-version,
gradle-home-cache-cleanup, gradle-home-cache-includes) remain intact and run a
workflow test to confirm caching and Node 20 compatibility under the
gradle/gradle-build-action@v3 update.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bac7b582-a63e-47a9-bf8d-cba8b6c09bc0

📥 Commits

Reviewing files that changed from the base of the PR and between f84f990 and 20b31fd.

📒 Files selected for processing (4)

• .github/workflows/build.yml
• .github/workflows/cleanup-snapshot.yml
• README.md
• build.gradle.kts

✅ Files skipped from review due to trivial changes (1)

• README.md

🚧 Files skipped from review as they are similar to previous changes (1)

• build.gradle.kts

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/build.yml:
- Line 4: The workflow uses pull_request_target but the condition and checkouts
assume a pull_request; fix by either switching the workflow trigger to
pull_request or (if you must keep pull_request_target) update the conditional
and checkout steps: change the condition testing github.event_name to compare
against 'pull_request_target' (or better, use a combined check like
github.event_name == 'pull_request' || github.event_name ==
'pull_request_target'), and for both the build and publish-snapshot jobs replace
the default checkout with an explicit actions/checkout invocation that checks
out the PR head (use repository: github.event.pull_request.head.repo.full_name
and ref: github.event.pull_request.head.ref or ref:
github.event.pull_request.head.sha and a token: secrets.GITHUB_TOKEN) so the PR
code is built/published; ensure changes are applied in the jobs named build and
publish-snapshot.
- Around line 74-78: The branch that builds SNAPSHOT_VERSION uses a conditional
on github.event_name that only checks "pull_request", which fails when the
workflow runs on the pull_request_target trigger; update the conditional that
sets SNAPSHOT_VERSION (the if block that assigns SNAPSHOT_VERSION) to also
detect "pull_request_target" (or check both "pull_request" and
"pull_request_target") so PR builds use the PR-specific "-PR-<number>-SNAPSHOT"
format; keep the same assignment logic for SNAPSHOT_VERSION and ensure the
conditional covers both event names.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d124b304-88c8-4668-a65a-f05920edc811

📥 Commits

Reviewing files that changed from the base of the PR and between efeb183 and 881ae10.

📒 Files selected for processing (1)

• .github/workflows/build.yml

[coderabbitai]

♻️ Duplicate comments (1)

.github/workflows/build.yml (1)

4-5: ⚠️ Potential issue | 🔴 Critical

Do not execute PR head Gradle code from pull_request_target.

pull_request_target runs with base-repo trust, and GitHub explicitly warns not to check out or build untrusted PR code with this event. This workflow does that in both jobs, and publish-snapshot then injects GITHUB_TOKEN / GITHUB_ACTOR into a Gradle build that the PR controls; build.gradle.kts:46-55 reads those env vars for GitHub Packages credentials, so a fork PR can exfiltrate the token or publish unexpected artifacts. actions/checkout also keeps an auth token available unless persist-credentials: false is set. Prefer a pull_request build for untrusted code, then do any privileged publish from a trusted follow-up workflow that does not re-execute PR code. (docs.github.com)

Also applies to: 27-29, 52-59, 63-65, 101-105

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build.yml around lines 4 - 5, The workflow uses the
pull_request_target event and therefore runs with base-repo privileges while
checking out and building PR-controlled code (see pull_request_target,
actions/checkout and the publish-snapshot job), which allows a forked PR to
exfiltrate GITHUB_TOKEN/GITHUB_ACTOR via build.gradle.kts reading env vars;
change the trigger to pull_request for jobs that build or test untrusted PR
code, or if you must use pull_request_target, ensure you do NOT check out or
execute PR head code (set actions/checkout persist-credentials: false and avoid
running Gradle in that job) and move any privileged publish steps
(publish-snapshot) into a separate trusted workflow that runs only on base
events (e.g., workflow_run or push to main) so Gradle never receives
GITHUB_TOKEN/GITHUB_ACTOR from untrusted code.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/build.yml:
- Around line 4-5: The workflow uses the pull_request_target event and therefore
runs with base-repo privileges while checking out and building PR-controlled
code (see pull_request_target, actions/checkout and the publish-snapshot job),
which allows a forked PR to exfiltrate GITHUB_TOKEN/GITHUB_ACTOR via
build.gradle.kts reading env vars; change the trigger to pull_request for jobs
that build or test untrusted PR code, or if you must use pull_request_target,
ensure you do NOT check out or execute PR head code (set actions/checkout
persist-credentials: false and avoid running Gradle in that job) and move any
privileged publish steps (publish-snapshot) into a separate trusted workflow
that runs only on base events (e.g., workflow_run or push to main) so Gradle
never receives GITHUB_TOKEN/GITHUB_ACTOR from untrusted code.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ea2b7047-e630-406e-97b5-e8b3fd655bc7

📥 Commits

Reviewing files that changed from the base of the PR and between 28bd895 and f2f5747.

📒 Files selected for processing (1)

• .github/workflows/build.yml